We have some exciting news to share with our friends, customers, and partners. Effective February 1, we have officially welcomed Vico Marziale and Joe Sylve of 504ensics into the BlackBag Technologies family. BlackBag and 504ensics have been working together for some time now, sharing complimentary expertise and, more formally, collaborating on our new triage product, Mobilyze. In particular, 504ensics helped develop some of the new Android acquisition functionality, which has drawn significant praise from a number of customers.
Most in the forensic community know Joe for his work in Android and memory forensics. He holds both a B.S. and an M.S. in Computer Science with concentrations in Information Assurance from the University of New Orleans, and is also a GIAC Certified Forensic Analyst. He is the author of LiME Forensics, the first tool set that allows full physical memory acquisition from Android devices. He is also the developer of Dalvik Inspector, a tool which [...]

For some time now, examiners have been searching for ways to efficiently and easily capture the screens of iOS devices. Much time and effort has been spent struggling with cameras on stands, dealing with glare from overhead lighting, and out-of-focus still shots. Over time, several apps have been created to make the screen capture process easier. However, these apps tend to present drawbacks for forensic examiners. For example, some apps require the iOS device and computer to be on the same Wi-Fi network in order to work, and some apps support only specific iOS devices.

QuickTime and Mac OS X Yosemite (10.10)
The venerable QuickTime application, that has been part of all Apple operating systems since System Software 6 (1991), received a quietly released update for Yosemite. QuickTime now supports video screen captures of an attached iOS device. Here’s how to do it.
Note: Prior to carrying out these steps, it is recommended that the examiner follow the typical precautionary [...]

Adding an iOS device to BlackLight is an easy task, once all requirements are met as set forth by Apple. The following article contains instructions to logically acquire and examine an iOS 7 or later device using BlackLight. Currently, newer iOS devices (i.e., iPhone 4 and later, iPad 2 and later) have enhanced hardware and software security requiring either the device's PIN code or passphrase to be unlocked, or the analyst to possess the specific pairing certificate for the device. There is no bypass for these security features (unless the device has been previously jailbroken, which is outside the scope of this article). From a forensics standpoint, knowing the PIN code/passphrase is the easiest path to gleaning the most information from a device, but the examiner may also gain access to many data points if a pairing certificate for the specific iOS device can be located.

One aspect of digital forensics that merits specific attention for today's investigators is Apple's FileVault 2 encryption. FileVault 2 has become increasingly prevalent on OS X systems since its release in 2011, and in fact with OS X Yosemite, it is even more likely that FileVault 2 will be enabled. With that in mind, we recently created a video demonstrating how to image a FileVault 2-encrypted volume with MacQuisition, BlackBag's versatile, 3-in-1 acquisition tool. What appears below is the narrative script used for the video, should you prefer to view it in a readable format. However, we would also urge you to check out the video itself, which appears above.

Introduction
Welcome to BlackBag Technologies' how-to instructional video, 'Imaging a FileVault Volume Using MacQuisition.'
In this video, we will demonstrate using BlackBag Technologies' MacQuisition to image a Macintosh computer that contains a FileVault 2 volume. In order to accomplish this, the examiner will need to know the login [...]

Today we are thrilled to announce the launch of Mobilyze, our new ultra-fast mobile data triage tool, capable of acquiring data from both Android and iOS devices. We created Mobilyze after several ride-alongs and countless conversations with customers who expressed a growing need for something to address the mountain of smartphones backlogged in evidence. More than anything, this is what Mobilyze was built for. Mobilyze is a tool that we are extremely proud of and we think it carries enormous value as an addition to any forensic toolkit. Listed below are a few distinguishing features that users can take advantage of with Mobilyze:
* Start viewing and filtering data in real time as it is being acquired
* Unplug your device during acquisition and Mobilyze will preserve all of the data collected to that point
* Acquire everything or specifically choose which applications to collect from
* Generate a court-ready Mobilyze Report in PDF or HTML
* Import directly into [...]

On September 17, Apple released iOS 8, one of the most secure operating systems available on any platform. Specific features of iOS 8 allow for greater security for the end user, and enhanced security within the iCloud service gives customers more peace of mind. Whenever technology changes, investigators and analysts have to pause and rethink methods with which they have previously found success. For iOS 8 and the latest iteration of iCloud, we have noted areas of concern. Some of these concerns are also relevant for previous iOS versions, but are included here for completeness and/or to demonstrate change.

Protection of an iOS 8 Device
As with any device, the iOS 8 device must be protected immediately upon its seizure because the device can be affected through external sources such as iCloud.com and the Find My iPhone app. To protect the device, one should attempt to perform all four of the following steps:

Time zone and clock information are vital points in an investigation. An examiner must be able to confirm the time zone setting to make accurate representations of dates retained on disk. Likewise, the examiner must confirm the system clock for accuracy. OS X incorporates various settings to ensure the system time is accurate.

The ‘Date & Time’ preference pane, found in the user's 'System Preferences' window, includes specific settings of importance. This first setting is in the sub-pane, which is also named ‘Date & Time.' It contains the checkbox Set date and time automatically and allows the user to select a time server to connect to, depending on the desired region. For automatic time zone adjustments to occur, a user must have Wi-Fi enabled and an internet connection properly established.

The second setting is found within the sub-pane of ‘Date & Time’ called ‘Time Zone.’ It contains options for automatically setting the time zone based on the user’s location [...]

2014 promises to be a truly new year for BlackBag! We have new products in the works, new team members coming aboard, and new customers discovering the value of BlackBag's constantly evolving lineup of software, training, and services. Here on the BlackBag Blog, we'll be touching on all of that over the next few months, plus providing useful tips, tricks, and trends from our growing team of Forensic Analysts and Instructors. Today, however, we're talking about the first FREE course that BlackBag has ever offered: BlackLight Tool Training.

Evolved from the course formerly known as BBT-320, BlackLight Tool Training is a two-day scenario-based course designed specifically to train our customers on how to use BlackLight. During the course, students learn fundamental investigative strategies in a truly hands-on style, walking through multiple case studies involving a wide variety of digital evidence. The course also includes a chance to sit for the new Certified BlackLight Examiner designation, a BlackLight-specific certification that was [...]

There are many legitimate reasons why someone might wipe an iOS device. A corporate IT administrator might do so prior to assigning a device to a different user, or a user might do so before they install a major iOS update. A user might also wipe a device to hide potential evidence. If they are successful, the only reliable evidence may be the data wiping evidence itself. For instance, if an investigator determines that an iOS device is not new and the subject has had access to the device over a period of time, and/or the subject tended to send frequent text messages, but there is only one sms.db (and/or other associated messaging artifacts) with a recent creation date, there may be some support for a device wiping claim. If the device also contains artifacts unique to data wiping, an investigator can definitively support a device wiping claim.

Some people have the ability to look into the future and envision possibilities that others can't begin to comprehend. Only a few of these people have the conviction, talent, and moxy to see their vision through. It is a very rare person indeed that possesses all these qualities plus humility and kindness. The computing community lost such an individual last Tuesday, and we wanted to take a moment to recognize him.
Doug Engelbart's most widely recognized creation was the computer mouse. According to this article, he created and patented this well-known technology so early on (we're talking the '60s and '70s folks), that just a few short years after the computer mouse was made commercially available (shipped with the first Apple Mac in 1984!), patent protection expired.
But Mr. Engelbart's technological contributions extended far beyond just the computer mouse. He and his colleagues also helped pioneer the very networking technologies (video teleconferencing, networking hardware, and even the Internet [...]